Inspector general finds NIST mistakes have made vulnerability database ineffective

A key cybersecurity vulnerability database run by the National Institute of Standards and Technology (NIST) has been crippled by mismanagement and other strategic failings, leading to an extreme backlog, according to a new internal watchdog report.

NIST’s National Vulnerability Database (NVD) backlog mushroomed from 13,000 unprocessed security vulnerabilities in February 2024 to more than 27,000 by the end of 2025, “undermining the NVD’s utility and public trust,” according to a report published by the inspector general of the Department of Commerce Tuesday.

The NVD is a critical tool that industry and government cybersecurity workers use to prioritize which cybersecurity vulnerabilities need to be addressed in what order. The worsening backlog first became a serious issue in February 2024 when NIST stopped paying the contractors who process the security flaws.

Poor planning by NIST has led to the increasingly dire state of affairs, according to the report, which said that NIST had pledged to fix the problem by September 2024 but did not come close to meeting its goal of processing about 6,200 vulnerabilities a month.

The agency had historically never processed more than 5,000 vulnerabilities a month and acknowledged that it had no plan for how to reach its goal, the report said.

“NIST does not have sustainable processes to manage NVD submissions and will be unable to clear the backlog of unprocessed vulnerabilities or prevent future processing delays without significant changes,” the report said.

The inspector general’s findings were first reported by CyberScoop. NIST did not immediately respond to a request for comment.

Duplicating efforts

In addition to weak strategic planning, NIST failed to communicate with the Cybersecurity and Infrastructure Security Agency (CISA). The agencies duplicated work in at least 21,000 instances from May 2024 through December 2025, the report said. 

CISA launched its own Vulnrichment program in May 2024, but NIST failed to coordinate with the agency once its NVD program rehired the contractors it relies on to maintain its database. At one point, the two agencies hired the same contractor to perform identical work.

NIST’s failure to engage with CISA first became evident when NIST declined to respond to a CISA invitation to collaborate, according to the report.

The decision to process vulnerabilities already addressed by CISA has wasted about $200,000 since May 2024, the report said, citing “insufficient communication [that] has frustrated stakeholders and decreased confidence in the NVD.”

“NIST considers the NVD a key piece of the U.S. cybersecurity infrastructure, but its actions to resolve and prevent processing backlogs do not reflect that characterization,” the report said. “Until the backlog is resolved and processes are made sustainable, the NVD will not achieve its mission, and public trust in the NVD will continue to erode.”

Fixing the issue

The inspector general recommends that NIST become more efficient when assigning severity scores and labeling which products are impacted. NIST will save about $800,000 over the next two years if it spends less time on the scoring, according to the inspector general.

NIST can safely decrease its work on scoring because it is of negligible value, according to the report, which found that 80% of vulnerability submissions include severity scores when they are first presented. Additionally, NIST’s severity scores only match those produced by independent assessors 12% of the time, the report said.

The agency also has failed to communicate effectively with stakeholders, the report said, citing an open letter that 50 cybersecurity professionals sent to Congress and the Secretary of Commerce in April 2024. According to the report, neither NIST nor the Department of Commerce ever responded to the letter, underscoring the letter writers’ contention that there had been a “lack of transparent communication” about the “regression on NVD operations,” the report said.

NIST must forge a plan for how to fix the NVD and eliminate the backlog, begin communicating with stakeholders more efficiently, no longer do as much severity scoring and collaborate with CISA to avoid overlapping efforts, the report said.

The agency concurred with the recommendations and will begin work to improve its operations immediately, according to an April letter from NIST Acting Director Craig Burkhardt that was included in the report.

NIST should cede responsibility for the NVD to CISA, according to Michael Daniel, the president and CEO of the Cyber Threat Alliance.

“Running a long-term, ongoing operational program like the NVD falls more properly in CISA’s mission,” Daniel said via text. “NIST has significant resource shortfalls.”